Hi,
I just realised that
Example 34-2. Validating file uploads
Is still showing a bullshit example. It constructs a destination path
for move_uploaded_file() that consists of user input. There is no sanity
check on it like removing / and .. sequences.
Can one of the DOC guys finally fix this code?
Stefan Esser
Stefan Esser wrote:
Example 34-2. Validating file uploads
Is still showing a bullshit example. It constructs a destination path
formove_uploaded_file()that consists of user input. There is no sanity
check on it like removing / and .. sequences.
Would you agree that aplying basename() would be ok as a quick fix?
$uploadfile .= basename($_FILES['userfile']['name']);
instead of
$uploadfile = $uploaddir . $_FILES['userfile']['name'];
?
(in the long run i should voluntere to rewrite this, folding in
information of my former magazine article on securing uploads ...)
--
Hartmut Holzgraefe <hartmut@php.net
phpdoc@lists.php.net is the right list for stuff like this btw ...
--
Hartmut Holzgraefe <hartmut@php.net
I just realised that
Example 34-2. Validating file uploads
Is still showing a bullshit example. It constructs a destination path
formove_uploaded_file()that consists of user input. There is no sanity
check on it like removing / and .. sequences.Can one of the DOC guys finally fix this code?
How about you provide a patch? Or a real suggestion? Instead
of some insulting subject and message. In the very least you
may use bugs.php.net to file a bug report.
Regards,
Philip